The format of the pillar file can be seen below, as well as in /opt/so/saltstack/default/pillar/thresholding/pillar.usage and /opt/so/saltstack/default/pillar/thresholding/pillar.example. Some node types get their IP assigned to multiple host groups. You can add NIDS rules in /opt/so/saltstack/local/salt/idstools/local.rules on your manager. All the following will need to be run from the manager. Revision 39f7be52. There isnt much in here other than anywhere, dockernet, localhost and self. Copyright 2023 The reason I have a hub and not a switch is so that all traffic is forwarded to every device connected to it so security onion can see the traffic sent from the attacking kali linux machine, to the windows machines. Please keep this value below 90 seconds otherwise systemd will reach timeout and terminate the service. It's simple enough to run in small environments without many issues and allows advanced users to deploy distributed systems that can be used in network enterprise type environments. As shown above, we edit the minion pillar and add the SID to the idstools - sids - disabled section. (Archived 1/22) Tuning NIDS Rules in Security Onion Security Onion 7.5K subscribers 48 Dislike Share 1,465 views Dec 22, 2021 This video has been archived as of January 2022 - the latest. To verify the Snort version, type in snort -Vand hit Enter. /opt/so/saltstack/local/salt/firewall/assigned_hostgroups.local.map.yaml is where host group and port group associations would be made to create custom host group and port group assignements that would apply to all nodes of a certain role type in the grid. This first sub-section will discuss network firewalls outside of Security Onion. ELSA? Minion pillar file: This is the minion specific pillar file that contains pillar definitions for that node. the rule is missing a little syntax, maybe try: alert icmp any any -> $HOME_NET any (msg:"ICMP Testing"; sid:1000001; rev:1;). At the end of this example IPs in the analyst host group, will be able to connect to 80, 443 and 8086 on our standalone node. If you have multiple entries for the same SID, it will cause an error in salt resulting in all of the nodes in your grid to error out when checking in. . Security Onion has Snort built in and therefore runs in the same instance. The second only needs the $ character escaped to prevent bash from treating that as a variable. Once logs are generated by network sniffing processes or endpoints, where do they go? Check out our NIDS tuning video at https://youtu.be/1jEkFIEUCuI! 3. You can then run curl http://testmynids.org/uid/index.html on the node to generate traffic which should cause this rule to alert (and the original rule that it was copied from, if it is enabled). For example: If you need to modify a part of a rule that contains a special character, such as a $ in variable names, the special character needs to be escaped in the search part of the modify string. You could try testing a rule . Backups; Docker; DNS Anomaly Detection; Endgame; ICMP Anomaly Detection; Jupyter Notebook; Machine Learning; Adding a new disk; PCAPs for Testing; Removing a Node; Syslog Output; UTC and Time Zones; Utilities. After adding your rules, update the configuration by running so-strelka-restart on all nodes running Strelka. Have you tried something like this, in case you are not getting traffic to $HOME_NET? Its important to note that with this functionality, care should be given to the suppressions being written to make sure they do not suppress legitimate alerts. This error now occurs in the log due to a change in the exception handling within Salts event module. If SID 4321 is noisy, you can disable it as follows: From the manager, run the following to update the config: If you want to disable multiple rules at one time, you can use a regular expression, but make sure you enclose the full entry in single quotes like this: We can use so-rule to modify an existing NIDS rule. In this file, the idstools section has a modify sub-section where you can add your modifications. You may see the following error in the salt-master log located at /opt/so/log/salt/master: The root cause of this error is a state trying to run on a minion when another state is already running. But after I run the rule-update command, no alert is generated in Sguil based on that rule.It was working when I first installed Security Onion. Though each engine uses its own severity level system, Security Onion converts that to a standardized alert severity: event.severity: 4 ==> event.severity_label: critical, event.severity: 3 ==> event.severity_label: high, event.severity: 2 ==> event.severity_label: medium, event.severity: 1 ==> event.severity_label: low. In a distributed deployment, the manager node controls all other nodes via salt. We can start by listing any rules that are currently modified: Lets first check the syntax for the add option: Now that we understand the syntax, lets add our modification: Once the command completes, we can verify that our modification has been added: Finally, we can check the modified rule in /opt/so/rules/nids/all.rules: To include an escaped $ character in the regex pattern youll need to make sure its properly escaped. One thing you can do with it (and the one that most people are interested in) is to configure it for IDS mode. To add local YARA rules, create a directory in /opt/so/saltstack/local/salt/strelka/rules, for example localrules. After viewing your redacted sostat it seems that the ICMP and UDP rules are triggering: Are you using SO with in a VM? To unsubscribe from this group and stop receiving emails from it, send an email to. Set anywhere from 5 to 12 in the local_rules Kevin. In this step we are redefining the nginx port group, so be sure to include the default ports as well if you want to keep them: Associate this port group redefinition to a node. Double-click the Setup script on the Desktop and follow the prompts to configure and start the Sguil processes. Naming convention: The collection of server processes has a server name separate from the hostname of the box. How are they stored? Managing Rules; Adding Local Rules; Managing Alerts; High Performance Tuning; Tricks and Tips. If you built the rule correctly, then snort should be back up and running. If so, then tune the number of AF-PACKET workers for sniffing processes. Here, we will show you how to add the local rule and then use the python library scapy to trigger the alert. This was implemented to avoid some issues that we have seen regarding Salt states that used the ip_interfaces grain to grab the management interface IP. It is now read-only. For example, the following threshold IP exceeds the 64-character limit: This results in the following error in the Suricata log: The solution is to break the ip field into multiple entries like this: A suppression rule allows you to make some finer grained decisions about certain rules without the onus of rewriting them. It . Before You Begin. Can anyone tell me > > > > what I've done wrong please? The National Institutes of Standards and Technology (NIST) 800-171 cybersecurity standard has four safeguards that are related to network traffic monitoring: 3.13.1: Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information Any definitions made here will override anything defined in other pillar files, including global. "; reference: url,http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-year.html; content: "toolsmith"; flow:to_server; nocase; sid:9000547; metadata:policy security-ips; rev:1). Previously, in the case of an exception, the code would just pass. Logs . Start by creating Berkeley Packet Filters (BPFs) to ignore any traffic that you dont want your network sensors to process. The rule categories are Malware-Cnc, Blacklist, SQL injection, Exploit-kit, and rules from the connectivity ruleset Security: CVSS Score of 8 or higher Vulnerability age is four years old and newer The rule categories include Balanced and Connectivity with one additional category being App-detect Host groups are similar to port groups but for storing lists of hosts that will be allowed to connect to the associated port groups. To enabled them, either revert the policy by remarking the ips_policy line (and run rule-update), or add the policy type to the rules in local.rules. You should only run the rules necessary for your environment, so you may want to disable entire categories of rules that dont apply to you. In a distributed Security Onion environment, you only need to change the configuration in the manager pillar and then all other nodes will get the updated rules automatically. Of course, the target IP address will most likely be different in your environment: destination d_tcp { tcp("192.168.3.136" port(514)); }; log { Let's add a simple rule that will alert on the detection of a string in a tcp session: Run rule-update (this will merge local.rules into downloaded.rules, update sid-msg.map, and restart processes as necessary): If you built the rule correctly, then Snort/Suricata should be back up and running. If you need to increase this delay, it can be done using the salt:minion:service_start_delay pillar. The set of processes includes sguild, mysql, and optionally the Elastic stack (Elasticsearch, Logstash, Kibana) and Curator. PFA local.rules. Revision 39f7be52. According to NIST, which step in the digital forensics process involves drawing conclusions from data? Default YARA rules are provided from Florian Roths signature-base Github repo at https://github.com/Neo23x0/signature-base. Diagnostic logs can be found in /opt/so/log/salt/. Check your syslog-ng configuration for the name of the local log source ("src" is used on SUSE systems). If you dont want to wait for these automatic processes, you can run them manually from the manager (replacing $SENSORNAME_$ROLE as necessary): Lets add a simple rule to /opt/so/saltstack/local/salt/idstools/local.rules thats really just a copy of the traditional id check returned root rule: Restart Suricata (replacing $SENSORNAME_$ROLE as necessary): If you built the rule correctly, then Suricata should be back up and running. The signature id (SID) must be unique. To generate traffic we are going to use the python library scapy to craft packets with specific information to ensure we trigger the alert with the information we want: Craft the layer 2 information. Global pillar file: This is the pillar file that can be used to make global pillar assignments to the nodes. alert icmp any any -> any any (msg: "ICMP Testing"; sid:1000001; rev:1;). You received this message because you are subscribed to the Google Groups "security-onion" group. This will add the host group to, Add the desired IPs to the host group. These non-manager nodes are referred to as salt minions. More information on each of these topics can be found in this section. Started by Doug Burks, and first released in 2009, Security Onion has. Please provide the output of sostat-redacted, attaching as a plain text file, or by using a service like Pastebin.com. If you need to manually update your rules, you can run the following on your manager node: If you have a distributed deployment and you update the rules on your manager node, then those rules will automatically replicate from the manager node to your sensors within 15 minutes. You can use salts test.ping to verify that all your nodes are up: Similarly, you can use salts cmd.run to execute a command on all your nodes at once. Youll need to ensure the first of the two properly escapes any characters that would be interpreted by regex. You need to configure Security Onion to send syslog so that InsightIDR can ingest it. Then tune your IDS rulesets. For more information, please see https://docs.saltproject.io/en/latest/topics/troubleshooting/yaml_idiosyncrasies.html. Manager of Support and Professional Services. Salt sls files are in YAML format. Port groups are a way of grouping together ports similar to a firewall port/service alias. When configuring network firewalls for Internet-connected deployments (non-Airgap), youll want to ensure that the deployment can connect outbound to the following: In the case of a distributed deployment, you can configure your nodes to pull everything from the manager so that only the manager requires Internet access. From the Command Line. 2GB RAM will provide decent performance for the Sguil client and retrieving packet captures from the server but also enough to run Security Onion in standalone mode for monitoring the local client and testing packet captures with tools like tcpreplay, lawson cedars. In many of the use cases below, we are providing the ability to modify a configuration file by editing either the global or minion pillar file. You can learn more about snort and writing snort signatures from the Snort Manual. Adding local rules in Security Onion is a rather straightforward process. Security Onion Layers Ubuntu based OS Snort, Suricata Snorby Bro Sguil Squert /opt/so/saltstack/local/salt/firewall/portgroups.local.yaml defines custom port groups. . Here are some of the items that can be customized with pillar settings: Currently, the salt-minion service startup is delayed by 30 seconds. Answered by weslambert on Dec 15, 2021. Salt minions must be able to connect to the manager node on ports, /opt/so/saltstack/local/pillar/global.sls, /opt/so/saltstack/local/pillar/minions/.sls, https://docs.saltproject.io/en/getstarted/system/communication.html, https://docs.saltproject.io/en/latest/topics/troubleshooting/yaml_idiosyncrasies.html. Salt is a core component of Security Onion 2 as it manages all processes on all nodes. For example, if you want to modify SID 2009582 and change $EXTERNAL_NET to $HOME_NET: The first string is a regex pattern, while the second is just a raw value. For example, suppose we want to disable SID 2100498. Logs. This way, you still have the basic ruleset, but the situations in which they fire are altered. Security Onion is an open-source and free Linux distribution for log management, enterprise security monitoring, and intrusion detection. This repository has been archived by the owner on Apr 16, 2021. After adding your rules, update the configuration by running so-strelka-restart on all nodes running Strelka. Tried as per your syntax, but still issue persists. 2. In Security Onion, locally created rules are stored in /opt/so/rules/nids/local.rules. Please note if you are using a ruleset that enables an IPS policy in /etc/nsm/pulledpork/pulledpork.conf, your local rules will be disabled. Find Age Regression Discord servers and make new friends! 1. Open /etc/nsm/rules/local.rules using your favorite text editor. The remainder of this section will cover the host firewall built into Security Onion. These policy types can be found in /etc/nsm/rules/downloaded.rules. To enable or disable SIDs for Suricata, the Salt idstools pillar can be used in the minion pillar file (/opt/so/saltstack/local/pillar/minions/_.sls). Introduction Adding local rules in Security Onion is a rather straightforward process. This will add the IPs to the host group in, Since we reused the syslog port group that is already defined, we dont need to create a new port group. For some alerts, your understanding of your own network and the business being transacted across it will be the deciding factor. to security-onion When I run 'rule-update' it give an error that there are no rules in /usr/local/lib/snort_dynamicrules. You can find the latest version of this page at: https://securityonion.net/docs/AddingLocalRules. If you right click on the, You can learn more about snort and writing snort signatures from the.